Bug 48786 - Serious security problem in vipw, util-linux 2.10s
Serious security problem in vipw, util-linux 2.10s
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: util-linux (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-07-11 15:49 EDT by Jack Lloyd
Modified: 2014-03-16 22:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-07-18 19:43:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jack Lloyd 2001-07-11 15:49:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.3-12smp i686; Nav)

Description of problem:
There is an incredibly serious problem with vipw in util-linux 2.10s on
Redhat 7.1. If you edit the /etc/shadow or /etc/gshadow files, vipw
actually creates a copy in /etc (or somewhere), and lets you edit that.
Afterwards, it copies it back to the normal location. However, it doesn't
set the permissions correctly, resulting in a world-readable /etc/shadow,
allowing brute force attacks.

How reproducible:
Always

Steps to Reproduce:
1. Run vipw
2. Do some random change (insert and delete space, whatever), then save
3. Say yes when promted to edit /etc/shadow
4. Do another random change
5. /etc/shadow now has mode 644


Actual Results: 
[root@caliper /root]# ls -l /etc/shadow
-rw-------    1 root     root          847 Jul 11 15:42 /etc/shadow
[root@caliper /root]# vipw
<here I'm editing /etc/passwd>
You are using shadow passwords on this system. Would you like to edit
/etc/shadow now [y/n]? y
<here I'm editing /etc/shadow>
[root@caliper /root]# ls -l /etc/shadow
-rw-r--r--    1 root     root          847 Jul 11 15:48 /etc/shadow
[root@caliper /root]# 

Expected Results:  /etc/shadow and /etc/gshadow should always be 600.

Additional info:

At first I thought that vipw was just ignoring my umask, which would be bad
enough but at least it's an easy fix. (make sure root's umask is always
077). However, even with a umask of 077, the file is created mode 644.

This problem was also observed on a Mandrake 8.0 system with util-linux
2.11d
Comment 1 Bill Nottingham 2001-07-12 11:31:02 EDT
working on it, thanks!
Comment 2 Bill Nottingham 2001-07-18 20:23:04 EDT
Fixed in the errata.

Note You need to log in before you can comment on or make changes to this bug.